Beth Barach, Scott Pope and Francis Cianfrocca
May 2015
Cisco ISE and Bayshore Networks
Securing the Internet of Things
The Internet of Everything (IoE)
Networked Connection of People, Process, Data, Things
Process Delivering the Right Information
to the Right Person (or Machine)
at the Right Time
Things Physical Devices and Objects
Connected to the Internet and
Each Other for Intelligent
Decision Making
IoE People
Connecting People in More
Relevant, Valuable Ways
Data Leveraging Data into
More Useful Information for
Decision Making
Cisco Confidential 3 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.
“”The Internet of Things is the intelligent connectivity of physical devices driving massive gains in efficiency, business growth, and quality of life.”
What Is the Internet of Things?
The Trend of Network Threats
Data breaches and
theft will continue to be
a problem
IoT devices are not
designed for
cybersecurity
More devices mean
more to protect
Cybercrime is lucrative
Malware sophistication
and ease of use has
grown exponentially
The barrier to entry is low
Some lack basic
authentication
functionality
Designed under a model
of implicit trust
Use of unencrypted
protocols
Do you know the core
systems and
interconnections to keep
your business running?
How do you prioritize
events?
What’s the best use of
your resources?
• 73% of business decision makers expect IoT to cause security threats to
increase in severity over the next two years
• 49% of business decision makers cite security threats among top application
challenges
• 78% of IT security professionals are either unsure about their capabilities, or
believe they lack the visibility and management required to secure IoT devices
• 46% of IT security professionals do not believe that they have policies in place
that can drive the necessary level of visibility and management of IoT devices
Security is a Primary Inhibitor to IoT Adoption
IT OT
Control Centralized Zone-based
Connectivity “Any-to-Any” Context-based (Hierarchical)
Focus Top-down:
Operations and systems required to
run the business
Bottom-up:
Plant, Processes and Equipment
required to operate and support the
business
Reach Global (WAN) Local (LAN)
Network Posture Confidentiality, Integrity, Availability
(CIA)
Availability, Integrity, Confidentiality
(AIC)
Response to Attacks Quarantine/Shutdown to Mitigate Non-stop Operations/Mission Critical
– Never Stop, even if breached
IT and OT Are Inherently Different Architecture
IT OT
Top Priority Confidentiality
• Secure Access
• Data Protection
• Risk Mitigation
Availability
• Continuous Processes
• 24/7 Operations
Biggest Fear Network Intrusion
• Loss of Integrity
• Data Leakage
Loss of View/Control
• Process Shutdown
• Threats to Safety
Typical Security Solutions Cybersecurity
• Firewalls
• IPS/IDS
• Role-based Access Control
Physical Security
• IP Cameras
• Badge Readers
Weakness Stringent Security Controls
• Complex Passwords
• Rigorous Policies
Insecure Behavior
• Shortcuts
• Improper Hygiene
IT and OT Are Inherently Different Attitudes and Behaviors
Cisco Confidential 8 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Network Security with Differential Applications Security Activity IT OT
Secure Access
• Role-based access for individuals
and groups
• VPN/remote access for most
systems throughout the network
• Complex passwords with lockout
policies
• Application control
• Role-based access to few
individuals
• VPN to few systems and users
• Badge readers/integrated sensors
• IP cameras with video analytics
• Simplified passwords (except for
the most critical systems)
Intrusion Prevention/Detection IPS – enforces policies IDS – sends security alert only
Threat Mitigation Quarantine affected system Analysis of the threat to determine
appropriate action
Data Integrity and Confidentiality Data Loss Prevention (DLP)
Insecure Behavior
• Shortcuts
• Improper Hygiene
Cisco Confidential 9 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.
IoT Can Actually Increase Security Posture
Network of Security Devices
• Cyber Security
• Firewall, IDS
• Physical Security
• IP cameras, badge readers, analytics
Actionable Security Intelligence
• Automated / M2M
• Human Response
Remote Capabilities
• Configuration and Management
• Collaboration Between Groups
IDS
Secure Access Video+Analytics
NG Firewall
Security
Intelligence
Cisco Confidential 10 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Securely Embrace IoT New challenges require new thinking
• Avoid operational siloes
• Networking and convergence are key
• Sound security solution is integrated throughout
• Build for the future
Security must be pervasive
• Inside and outside the network
• Device- and data-agnostic
• Proactive and intelligent
Intelligence, not data
• Convergence, plus analytics
• Content-aware filtration is essential for secure, scalable IoT
Cisco Confidential 11 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Bayshore Networks
IT/OT Gateway
• Inspects, dissects and filters industrial application data • Leverages Cisco ISE pxGrid and TrustSec technologies
• OT and IIoT cybersecurity policy and enforcement • Secure M2M communications
• Network, protocol and application segmentation/isolation
• Industrial operations and safety
• Now available on the Cisco price list
Bayshore Networks
Standard IT security practices fail in IoT environment
• More machines than computers
• OT machines/robots are static and rarely change
• Many devices on the factory floor share IP addresses
Bayshore and Cisco Content Aware Cybersecurity
• Content based network segmentation and isolation
• Automatic device discovery and mapping by behavior
IT Security Practices and Industrial IoT
Threats to IT Threats to OT
Malware, Viruses Worms Life Safety
Information Theft Operational Disruption
Data Loss, Data Leakage Production Downtime
Employee Downtime
Physical Damage
IT and OT Cybersecurity Threats/Questions
Traditional Firewall Bayshore
Views packets Looks at transational behaviors, protocols and
the entire network flow
Rules based P/F decisions Content and protocol aware policies
Need to add support for industrial protocals
Rapidly expanding library of industrial protocols .
Supports any industrial protocols and transactions
at the content layer
Signatures and Application IDs Machine specific protection down to the data
transaction and content layer
OT Requires Machine Specific Protection
Bayshore – Cisco Stack
Policy/Metadata
Content and Applications
Industrial IoT Protocols
Network/Cloud
• Prevents disruptions in operational process continuity
• Machine specific attacks are blocked in the cloud
• Efficient centralized management of industrial security signatures and policy changes
• Easily enforces process specific policies such as line‐of‐sight rules at scale
OT visibility enables business value
Cybersecurity for Industrial IoT
Bayshore can deploy via
VM on Cisco UCS or
from the Cisco Cloud
Inspection and mitigation
Plant systems
current and secure
Bayshore
Cisco ISE
Mills Conveyors PLCs Robots
Secure Plant
ASA/Sourcefire
Cisco Confidential 19 C97-731576-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Bayshore Manufacturing Demo
Protocol Verification - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
ATTACK
root@sushi:/opt/BayshoreNetworks/
modbustcp_client1#
./bufferoverflow_unfiltered.sh
Private Network Connections
Protocol Verification - Manufacturing
Customer-specific
policies
A la carte
policies
Private Network Connections
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
RECEIVING MACHINE
Raw Request Payload: 414141414141
414141414141414141414141414141414
414141414141414141414141414141414
4 is disconnected
[]
Protocol Verification - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
ATTACK WITH FILTER
[-] This anomaly is of interest:
[-] Host: 192.168.1.4
[-] Port: 502
[-] Slave ID: 5
[-] Target Type: Holding Register
[-] Function Code: 16
[-] Reason: No response received
Private Network Connections
Customer
A Customer
B
Protocol Verification - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
RECEIVING MACHINE
(‘192.168.0.149’, 49133) is
connected with socket 4…
4 is disconnected
[]
Private Network Connections
Protocol Verification - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
SYSLOG TRAIL
May 28 18:06:33 mockingbird AAP/
fproxd[6606]: ruleset=modbuscisco”
(ModbusTCP))
attacksignature=“Report Modbus
function” value=“16”
Private Network Connections
Device Fingerprinting - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
PROBING
[!] Attempting to fingerprint
‘192.168.0.15’ on port 502,
Slave ID: 5
[+] Device ID value returned: Bay
shore Networks Modbus Slave v1.0
Private Network Connections
Device Fingerprinting - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
MACHINE RESPONDS
Type: Response
Transaction Identifier: \x00\x00
Protocol Identifier: \x00\x00
Length Field: \x00\x2d\
Unit ID: \x05
Function Code: \x2b
Data: \x00\x00\x00\x00\x00\x00\x0
Private Network Connections
Device Fingerprinting - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
PROBE WITH FILTER
Socket Timeout
[!} Attempting to fingerprint
‘192.168.1.4’ on port 502,
Slave ID 5
[-] No device ID value returned
Private Network Connections
Device Fingerprinting - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
RECEIVING MACHINE
(‘192.168.0.149’, 49133) is
connected with socket 4…
4 is disconnected
[]
Private Network Connections
Device Fingerprinting - Manufacturing
Customer-specific
policies
A la carte
policies
Policies: Allow, Block, Modify and Report
Customer
A Customer
B Control Data Traffic:
Modbus/TCP
Modbus/TCP
at Recipient
Computers, DBs, Analytics Conveyors, PLCs, Robots, etc.
Cloud
SYSLOG TRAIL
May 28 18:07:33 mockingbird AAP/
fproxd[6606]: ruleset=modbuscisco”
“(Modbus TCP)” attacksignature=
“Modbus/TCP Device Fingerprint
Attack Blocked” value=“43”
Private Network Connections
Protocol verification
Device fingerprinting
Here are the Policy Rules
Thank you.